After a very busy couple of months dealing with political issues – some good, some bad and some very sad – I turn my attention back to my interest in all things AML. The 8th June saw the publication of the Commission’s report on its thematic review on training which they undertook in 2015. Whilst I am pleased to note that the GFSC concluded firms broadly had good awareness, there were some interesting findings worth further consideration.
The basic aim of the Review was to look at the who, what, when and why of AML/CFT Training as required by the Regulations; the first question being who needs the training. This is usefully set out in the Glossary to the Report namely the definition of a relevant employee which is:
- member of the Board
- member of the management of a firm
- employees whose duties relate to the regulated business of a firm; or
- other employees who are exposed to the risk of money laundering and terrorist financing.
I have found that people often mistake this to exclude employees who don’t “get involved” in client business, those who are not client-facing. However, many such employees should “receive training as they may be in positions whereby they see or review information which could lead to them forming a suspicion about activity within the business.” My preference is to train all staff in some type of AML/CFT training to ensure they feel included, so they take an interest in the work of the firm and are prepared if they do spot something suspicious.
To me, the content of the training (or the “what”) is probably the most important of the four as there is little point teaching the wrong stuff. The list of the what includes
- the CDD requirements;
- the requirements for the internal and external reporting of suspicion;
- the criminal and regulatory sanctions in place for failing to report information in accordance with policies, procedures and controls; and
- the principal vulnerabilities of the Firm’s products and services.
On the face of it, some generic training provided on-line, in-house or by external consultants can satisfy the requirements. However, the Commission point out that the content must be relevant both to the business of the firm and the wider environment in which the firm operates. The staff must also be “cognisant of both the risks posed to the business and the controls established by the firm to counter the threat of financial crime.”
To be able to provide quality, targeted training, it must, therefore, be informed by the firm’s business risk assessment with the risks identified flowing through into the training. The trainer should also be familiar with the policies and procedures used by the firm so they can train the staff on the means identified for preventing the risks.
When training should take place is another important aspect which seems to be misunderstood. The Handbooks require regular training to take place at least biannually but, as the Report notes, some firms acknowledge the need to provide training when there are changes to the regulatory regime, new trends and typologies emerge specific to the business of the firm or new procedures are implemented by the firm. As this happens often, regular training should really just be a refresher.
It is also quite clear that the Handbooks require the introductory AML/CFT training be “delivered prior to an employee becoming involved in the day-to-day operations of the firm”.
The Report states that
“In this regard, 65% of firms surveyed indicated that they provide induction training within a fortnight of an individual commencing employment, with 34% providing said training within the first week. Conversely, 14% of the firms sampled provide induction training within three months of an employee starting.”
In my experience, most employees are involved in the day-to-day operations of a firm fairly quickly, even if supervised, and certainly in some small way within the first week. I, personally, like to set up a meeting between the employee and the MLRO and Compliance Officer on Day One to introduce them to each other, discuss the employee’s role, their understanding of AML/CFT and their previous training. This will inform the remainder of the employee’s Induction programme and ensure that, in the unlikely event they do see something suspicious in those first few days, they know who to report to and feel able to do so. I also ensure that the employee’s supervisor knows what training is required before their staff member begins their proper job.
So why do we have to provide training? The Report starts by stating that one of the most important tools to fight financial crime is to have staff who are alert to the potential risks and identifiers of suspicious activity.
Staff can only be alert to these risks and identifiers if they know them, they know what to do when they see them and they know what happens if they don’t.
Therefore, in my mind, the responsibility of the Board to assess the training to ensure it is appropriate and effective is paramount. However, in order to do so, the Board must have timely and complete information not only on what training has been given and to whom but also whether it is relevant in the light of its risks and its policies.
It is also worth noting that a member of the Board would find it difficult to make such an assessment without being fully versed in all aspects of the regulatory requirements and the external environment in which the firm is trading. In other words, they need to be a fit and proper person.
The training requirements set out in the Handbooks are, therefore, yet another example of how all the cogs in the regulatory machine need to be well-oiled in order to ensure a firm is fully compliant. In my view, it also means that, if suitably oiled, the benefits can and will be reflected in a firm’s Balance Sheet.